containers
/
automation-tests
mirror of https://github.com/containers/automation-tests.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #11101 from rhatdan/selinux 

Fix handling of user specified container labels
This commit is contained in:
openshift-ci[bot] 2021-08-03 12:33:59 +00:00 committed by GitHub
parent d25f8d07b3 985c717085
commit e93661f5e7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 35 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
libpod/container_internal.go
View File

@ -472,20 +472,10 @@ func (c *Container) setupStorage(ctx context.Context) error {
c.config.IDMappings.UIDMap = containerInfo.UIDMap c.config.IDMappings.UIDMap = containerInfo.UIDMap
c.config.IDMappings.GIDMap = containerInfo.GIDMap c.config.IDMappings.GIDMap = containerInfo.GIDMap
processLabel := containerInfo.ProcessLabel processLabel, err := c.processLabel(containerInfo.ProcessLabel)
switch {
case c.ociRuntime.SupportsKVM():
processLabel, err = selinux.KVMLabel(processLabel)
if err != nil { if err != nil {
return err return err
} }
case c.config.Systemd:
processLabel, err = selinux.InitLabel(processLabel)
if err != nil {
return err
}
}
c.config.ProcessLabel = processLabel c.config.ProcessLabel = processLabel
c.config.MountLabel = containerInfo.MountLabel c.config.MountLabel = containerInfo.MountLabel
c.config.StaticDir = containerInfo.Dir c.config.StaticDir = containerInfo.Dir
@ -520,6 +510,26 @@ func (c *Container) setupStorage(ctx context.Context) error {
return nil return nil
} }
func (c *Container) processLabel(processLabel string) (string, error) {
if !c.config.Systemd && !c.ociRuntime.SupportsKVM() {
return processLabel, nil
}
ctrSpec, err := c.specFromState()
if err != nil {
return "", err
}
label, ok := ctrSpec.Annotations[define.InspectAnnotationLabel]
if !ok || !strings.Contains(label, "type:") {
switch {
case c.ociRuntime.SupportsKVM():
return selinux.KVMLabel(processLabel)
case c.config.Systemd:
return selinux.InitLabel(processLabel)
}
}
return processLabel, nil
}
// Tear down a container's storage prior to removal // Tear down a container's storage prior to removal
func (c *Container) teardownStorage() error { func (c *Container) teardownStorage() error {
if c.ensureState(define.ContainerStateRunning, define.ContainerStatePaused) { if c.ensureState(define.ContainerStateRunning, define.ContainerStatePaused) {

12
test/system/410-selinux.bats
View File

@ -50,6 +50,18 @@ function check_label() {
check_label "--systemd=always" "container_init_t" check_label "--systemd=always" "container_init_t"
} }
@test "podman selinux: init container with --security-opt type" {
check_label "--systemd=always --security-opt=label=type:spc_t" "spc_t"
}
@test "podman selinux: init container with --security-opt level&type" {
check_label "--systemd=always --security-opt=label=level:s0:c1,c2 --security-opt=label=type:spc_t" "spc_t" "s0:c1,c2"
}
@test "podman selinux: init container with --security-opt level" {
check_label "--systemd=always --security-opt=label=level:s0:c1,c2" "container_init_t" "s0:c1,c2"
}
@test "podman selinux: pid=host" { @test "podman selinux: pid=host" {
# FIXME this test fails when run rootless with runc: # FIXME this test fails when run rootless with runc:
# Error: container_linux.go:367: starting container process caused: process_linux.go:495: container init caused: readonly path /proc/asound: operation not permitted: OCI permission denied # Error: container_linux.go:367: starting container process caused: process_linux.go:495: container init caused: readonly path /proc/asound: operation not permitted: OCI permission denied